Open
Bug 1245419
Opened 8 years ago
Updated 2 years ago
Failed/Untrusted HTTPS connection is reported as successful (200 Connection Established)
Categories
(DevTools :: Netmonitor, defect, P3)
Tracking
(Not tracked)
UNCONFIRMED
People
(Reporter: Ceremony, Unassigned)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0 Build ID: 20160202004008 Steps to reproduce: Try to connect to a site for which Firefox enforces HSTS (preconfigured/previously visited). This time however, provide an invalid certificate to that site. Actual results: Site refuses to load (good). The network pane of the dev tools report 200 Connection Established and no security warning is issues in the log. (bad) In my case, the issue occurred when I had to implemented some Google tracking on a company's website and their firewall blocks/hijacks googleadservices.com for tracking protection (oh the irony). googleadservices.com is part of FF's preloaded HSTS list. Upon testing whether what I just implemented worked, I ran into this bug. Expected results: Network and log should report such failed connections correctly.
Reporter | ||
Comment 1•8 years ago
|
||
Updated•8 years ago
|
Component: Networking → Developer Tools
Product: Core → Firefox
Updated•8 years ago
|
Component: Developer Tools → Developer Tools: Netmonitor
Comment 3•8 years ago
|
||
For https://expired.badssl.com/ and also https://subdomain.preloaded-hsts.badssl.com/ I'm seeing no status show up in the netmonitor - as if the request is still pending.
Comment 4•8 years ago
|
||
(In reply to David from comment #0) > In my case, the issue occurred when I had to implemented some Google > tracking on a company's website and their firewall blocks/hijacks > googleadservices.com for tracking protection (oh the irony). > googleadservices.com is part of FF's preloaded HSTS list. Upon testing > whether what I just implemented worked, I ran into this bug. I'm not sure how to reproduce this scenario locally so I haven't been able to confirm the '200' problem you are seeing. Let me know if you have any ideas how to do that. But I've seen a different variety of buginess in Comment 3
WFM on Fx45b3, 46.0a2 and 47.0a1. Step: Visit http://hsts.badssl.com/, the works fine, add the "63.245.215.20 hsts.badssl.com" line to hosts file, Ctrl+F5 (also clear DNS cache if needs), the error screen shown, the devtools - network shown the comment 3.
Reporter | ||
Comment 6•8 years ago
|
||
(In reply to Brian Grinstead [:bgrins] from comment #4) > (In reply to David from comment #0) > > In my case, the issue occurred when I had to implemented some Google > > tracking on a company's website and their firewall blocks/hijacks > > googleadservices.com for tracking protection (oh the irony). > > googleadservices.com is part of FF's preloaded HSTS list. Upon testing > > whether what I just implemented worked, I ran into this bug. > > I'm not sure how to reproduce this scenario locally so I haven't been able > to confirm the '200' problem you are seeing. Let me know if you have any > ideas how to do that. But I've seen a different variety of buginess in > Comment 3 As I am behind a proxy (http proxy, not SOCKS), it might be this constellation that causes it to report as 200: Firefox connects to the proxy, as I try visiting a website. However, that site never gets the chance to respond as the proxy hijacks the requests and responds with an invalid certificate. Firefox rejects it, though, as it is already connected to the "site" (=proxy), it lists that connection as 200. Just a hypothesis, not tested, but that might be the difference between my result and yours. P.S. at work (with the proxy), https://expired.badssl.com/ and https://subdomain.preloaded-hsts.badssl.com/ result in a 200 response, despite ff rejecting it. At home, I saw the same result as you: grey, as if its still pending...
Updated•8 years ago
|
Priority: -- → P3
Updated•6 years ago
|
Product: Firefox → DevTools
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•